Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Tim Sadler
Tim Sadler
Connect Directly
E-Mail vvv

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?

Consider four factors and behaviors that impact a particular employee's risk, and how security training should take them into account.

Companies are spending significant resources trying to reduce security risk among employees. And they spend billions each year on training, yet major data breaches continue to make headlines, and human error remains the leading cause of a breach. Where's the disconnect?

Related Content:

6 Free Cybersecurity Training and Awareness Courses

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

One major problem is that companies haven't adapted their security training as quickly as cybercriminals have evolved their attack methods. Cybercriminals increasingly target specific employees based on real-time factors like tenure, department, and location to make their scams more believable. To safeguard against these threats, security training must be as tailored and sophisticated as attack methods. 

There are a number of factors and behaviors that affect a particular employee's risk. Here are four of them, and how security training should take them into account.

Department and Job Function
Cybercriminals craft convincing scams by tailoring them based on an employee's department and role. They comb platforms like LinkedIn and company websites to find these details.

Security training should be tailored by job function and provide employees with real-world examples of the scams most likely to target them. For example, the CFO and finance department might be targeted by more business email compromise attacks like wire transfer fraud, and they should be trained on them accordingly. 

Human error also differs by department. For example, sales teams often have access to large swaths of personal information. Train these teams on how to avoid data loss risks, like sending documents or attachments to their personal emails.

Individualized training allows companies to prioritize training for employees with access to sensitive data, such as customer Social Security numbers and financial information, and for the departments that are most often targeted. For this reason, information on employees' roles and access should be automatically updated.

Employee Tenure
New employees are often specifically targeted by hackers, and social media makes this easy. Tessian found that 93% of US respondents post about a new job on social media. 

Because new employees are less familiar with colleagues and company security protocols, they are often less able to identify abnormal requests. Cybercriminals know this and take advantage of it. For example, they'll pose as an IT team member or customer service rep asking for login credentials to set up software or account permissions. 

Security training and tactics should focus on where new employees' vulnerabilities lie so they know what to look for. A careful review of security guidelines and best practices should be integrated into the onboarding process early on. 

Remote or In-Office Work
Security was a major challenge for many companies during the transition to remote work. Now they will face new hurdles with a complex shift to hybrid work. It's highly likely that cybercriminals will continue to target remote employees and take advantage of any uncertainty caused by the hybrid workplace.

Distraction is an important risk factor here. Over half (57%) of employees say they feel more distracted when working from home, while 47% cited distraction as the top reason for falling for a phishing scam. People tend to make more mistakes, like clicking a link without verifying an email sender, during these situations. It's also more difficult to verify a legitimate request from a colleague when you're not in the same location.

Employees should be trained on the specific security risks unique to working from home, in an office, or in a hybrid environment. 

Risk of Human Error
Security training often focuses only on risks like phishing scams that aim to trick employees. But simple human mistakes also lead to data breaches — for example, when an employee sends sensitive information to the wrong email recipient. The most effective tools will flag this behavior in real time as an employee is about to make a poor decision. Humans learn best in context, so training is best delivered in-the-moment rather than in lengthy modules that happen once per quarter.

Training has an important opportunity to make employees aware not only of general security risks, but also improve their individual behaviors over time. Do they download large amounts of sensitive data when they only need to access a small portion? Do they have a history of falling for phishing scams? Security reminders should be tailored to past behavior and delivered consistently. 

This is not about shaming or punishing individual employees. The goal is to arm them with specific, relevant knowledge based on their own workplace habits. 

Better for Employees, Better for Organizations
Tailored training is a win-win for both organizations and their employees. Instead of sitting through long, boring training sessions that interrupt productivity, employees' time can be spent only on the most relevant information. Training becomes more engaging and more memorable. Meanwhile, organizations save resources by making training more effective and efficient. The ultimate goal is to create a wider security culture that leaves the organization better protected overall. 

Cybercriminals are consistently refining their techniques to trick employees, while workers are put in charge of more and more data as companies digitally transform. Security techniques should, similarly, continually incorporate new methods and technologies. By analyzing unique risk factors and making security training both individualized and automated, security leaders can protect employees without disrupting their work.

Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Creating an Effective Incident Response Plan
Security teams are realizing their organizations will experience a cyber incident at some point. An effective incident response plan that takes into account their specific requirements and has been tested is critical. This issue of Tech Insights also includes: -a look at the newly signed cyber-incident law, -how organizations can apply behavioral psychology to incident response, -and an overview of the Open Cybersecurity Schema Framework.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-11-29
Garage Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via /garage/php_action/createBrand.php.
PUBLISHED: 2022-11-29
An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use th...
PUBLISHED: 2022-11-29
An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest...
PUBLISHED: 2022-11-29
Discourse is an open-source discussion platform. Prior to version 2.8.13 of the `stable` branch and version 2.9.0.beta14 of the `beta` and `tests-passed` branches, unauthorized users may learn of the existence of hidden tags and that they have been applied to topics that they have access to. This is...
PUBLISHED: 2022-11-29
The package com.github.samtools:htsjdk before 3.0.1 are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the createTempDir() function in util/IOUtil.java not checking for the existence of the temporary directory before attempting to create it.